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(57} Abstract 

In a tmalwd for providing copy-protection services on storage metihtto, the locations where tte data, preferably arranged in blocks, 
are stored, «re chosen by a {presferabiy buil;-in) ccntroiter on a random basis. Using an encryption key which depends critically on (be 
position of fee- dais the -storage medium, decrypting copied data is made virtually impossible. 
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COPY-PROTECTION ON A STORAGE MEDIUM BY RAN DOM5ZING LOCATIONS AND KEYS UPON WRITE ACCESS 



The invention relate*, to a method for providing cops-ptotection to a data 
storage medmn, m particular to solid jtate memon. modules With advancing technology 
ne-u generations of pni.tble audio playback and recording deuces will be based on snhd 
state technology Ailments in favoi aft; based on weight, po\u>r and shoekprootness 
5 considerations. 

Sottwute providets. e g. missse pubhshets. teqmre measutes against 
unauthorized crmjmg of the digitally stored imormauon. with little or preferably no 
inconvenience to an authorized ust-t In addition, the method and s>stem should support t,uck 
business models as rental, tr\-heJore-\ou-oii\, and controlled copying te g supet 
10 distribution) A pa; tu. ular problem :s posed by des >ees that c an potcnttalK access all 
mlotmation on the storage medium, w ithout complying wnh piotection standards 

Known antt-copymg solutions use a unique identification code (jt>) that is 
'engraved' m the sioiage medium Ar some point in time. \hv may be disadvantageous 
because oi pmacy considerations Furthermore, as wtll be c>cpiamed below, methods whtui 
15 mamly rcls on such an TO do not ptovjde adequate piotection against a > opvmg scheme 
known as a 'replav attack'. 

I? u therelore an object or the tnvenuor> to provide a method and swem ttu.t 
ptowdes protection against replax attacks, without ntoesoauiv employing a umqu* U). nt 
iclat've!} inexpensise mannei that ieqtme.s onlv moderate ptoccssirg ta> iMics 

20 

The hast,, idea tot this eop\ piotection method and s\stctn ts that the data *s 
enctypted using a key that critically depends on the iocatrmts) mi which the data n stored, 
and which is combined uim a method that renders it impossible to prediu where me data \uj| 
25 be actuatly .stored on the medium Ad.oidmgSs , copying of the data v, ill result m ar 

unpredictable change oi the storage location, thus breaking the cntiwal relation between the 
lattej a:td the encryption ke> Thetetuic. <wn.c the dm has been rmned, it can never be 
recovered, provided thai the mptogiaphy is sufficient!) strong, the tandom numbe; 
generator is cryptographicaily strong, and any secrets are kept well hidden. 
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In consequence, amongst other things, it is an object of the present invention 
to provide an inexpensive method for storing data on storage media, where the relation 
between encryption key find storage location will be disrupted upon copying operations. 

The present invention ts particularly suited for solid state memory modules 
which provide easy random access to any location in the memory, be it on the basis of a bit, a 
byte of on some other entity such as a uniform sized sector that relates to the access width of 
the memory m question. 

Now, therefore according to one of its aspects the invention is characterized in 
that the data on the storage medium are encrypted with a key K -which depends on the 
position (Lj. L 3 , U) of the data on the storage medium, and that m each write operation the 
dara is stored in locations on the storage medium that are chosen at random. 

The invention also relates to a system arranged for implementing a method as 
claimed in dami i, a player for playing a recording prepared according to a method as 
claimed in claim i ( and a record earner prepared according to a method as claimed in claim 
1 . Further advantageous aspects of the invention are recited in dependent Claims. 

TIhsi and otiin obiecu ot the (mention wtjt he apparent from and elucidated with reference 
to ftv emh( J:ment,. described hereinafter 
In the drawings: 

Figure i shows a conceptual two-piu\c- an,m;;emenr 
Figure : diustrates tnc mechanism of rcru> atuuks m tnr p-or an 
Figure ? shows a schematic diagram oi a storage meojum embodimtrt. 
Figure 4 shows an example ot a hie ^t-Uvtuie 

Figurej 5 \ and 5b illustrate an cvampk of a metnod in accordance vuh the 
invention and ttow tins method prevents ~repja> attacks' 

Figtm-s 6 A and oB illustrate a fusthei example tor a method tn accordance 
with the invention. 

Figure 1 illustrates a conceptual two-player arrangement, with two players A and B, and a 
removable module C that may be transposed between the players. As shown, both players 
have appropriate means for inserting the module, fn the rest of the discussion u is assumed 
that this removable module may he accessed by other means as we.l te.g PC based readers.!. 



wo mmm ^ vct/k mmmib 

This poses the risk ct unauthorized copying of the data on the module, assuming that the 
players A and B do not atiow unauthorized copying. The preferred embodiments are 
described in relation to a Solid State Audio player and module, although the invention may- 
be used in a broader context. 
5 Within a few years, Solid State Audio (SSA) players are expected to become a 

new standard for portable audio playback devices. This is mainly due to many advantages on 
weight, size, power use, and shock resistance, with respect to current solutions using disc or 
tape. Currently available SSA players combine 32-S4 MB of flash memory and audio 
compression techniques such as MPEG i layer Uf <MP3) or AAC to achieve up to one hour 

10 of (near) CD quality music playing time. Due to the digital nature of the.se devices and the 
associated ease of copying, however, the music industry insists on proper copyright 
protects on features . 

One of the tools for copy protection of digual content is encryption. While 
encryption by itself does not prevent, illegal copying, it does render such copies useless, as 

15 the original content can be retrieved only by decrypting U using the proper key. As a result, 
playback of the content is limited to those devices that have access to that key. it is an 
objective of the copj protection system to manage the keys in such a way that illegal copying 
is prevented, while at the same rime not inconveniencing legal and intended use- of the 
content. 

20 Most of the memory modules for solid stitte multimedia storage applications comprise a large 
flash memory and an on-board controller. The controller may or may not be integrated, and 
multiple separate memory chins may be employed on she module. Example;., of such 
multimedia memory modules are: Memory Suck (Sony), SrnartMedtii {SSFDC rorumj. 
Miniature Card tMC .Forum j. Compact Flash (PCMCIA Forum), Multimedia Card «'MMC 

25 Association ). In addition, these devices can be thought of as block devices, similar to hard 
disk drives, where memory accesses occur by addressing sectors (typically 512 bytes) on the 
module, indeed, some of the modules listed above employ the ATA interface standard, which 
is used to connect hard disks and other peripherals to a PC. This enables easy duplication (bit 
by bit) of the content of such memory module* using a PC Other modules use a proprietary 

30 interface and command set, but still are block based, i.e. individual sectors on the module can 
be addressed and modified. 

In the following, it is assumed (see Figure .1) mat a SSA player employs 
detachable memory modules, which can be accessed by other means as well (e.g. PC based 
readers). 
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Basically, two approaches exist for copy protection. The first is to bind the 
audio to a specific player by providing each individual player with a unique, secret, number 
that is used as the key to encrypt the audio. Therefore, the audio stored on memory modules 
by one player will play on that player only. Of course, this is very annoying if one has 
3 multiple SSA players. It is required that one is able to play music stored on a memory 

module, regardless of the SSA device used to download it onto {he module. What should be 
prevented, however, is that a user can copy the audio content, to another module and be able 
to play from both. 

One known solution is to embed a unique identification code (ID) m the 
10 memory module, which can be read by the application, but which can not be changed. This 
identification code can then be used to generate an encryption key, which is specific for the 
module. 

Another known solution is to make use of defects in the memory modules, 
which naturally occur as a result of the manufacturing processes used to fabricate cheap but 
15 high storage capacity flash memories. The locations of these natural defects probably will be 
unique for each module, and as such can act as a 'fingerprint* of that device. Again, a unique 
key can be generated, winch is specific for the module. 

These known solutions, however, necessitate a unique identification code, and they do not 
provide protection against replay attacks. A 'replay attack' is a form of copying in which an 

20 unauthorized copy is made from one system ('system I) to another (system 2), where the 
unauthorized (but unplayable copy) on system 2 can be used to restore a playable copy on 
system over and overag^n, even after expiration of the original copy. Figure 2 illustrates this 
in more detail. Each system comprises a unique identification code, represented by ID; for 
system 1 and ED2 for system 2, and contains files in which the content is stored as a sequence 

25 of separate blocks. In this example the data in respect of rights and usage on the original copy 
are encrypted with a key that is derived from ID! and a secret S. In a 'try-before-you-buy* or 
a rental business model, further access to the data is denied after a certain period of time, or 
after a number of uses. Copying the data to a system having a unique identification code 1.D2 
{.second step in Figure 2 s will not render a usable copy, since, the identification code does not 

30 match the code ID 1 . However, this copy is exactly (bit-by-bit) the same as the original, it can 
at any time be recopied back from system 2 to system 1 and that copy of a copy can be used 
again. This enables a fraudulent customer to retain, on system 2 a copy that can be recopied 
again and agam on system 1 where it will be usable. So. after obtaining content on a 'try-- 
beiore-you-buv' basis, the fraudulent customer copies the data from system i to system 2, 
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and recopies a again and again from system 2 to system i in order to keep *trying\ 'Try- 
before-you-buy* thus has become ■try-indefinitely.' Likewise this scheme can be used to pay 
once for a rental and have a copy for ever. 

To effectively use a storage device, it is necessary to implement a file system 
by means of which the user data is organized and accessed. By treating the memory module 
a? a block device, the creation and management of a file system is left to the application, in a 
PC environment, where the operating system already has buiK-m file system support, this is a 
logical choice: by supporting the ATA standard this support can be reused for the memory 
module without any modification. However, in stand-alone devices, such as a SSA player, 
the application is burdened with file system details, if the memory module employs the block 
device approach. Therefore, stand-alone (portable) applications which require storage of 
multimedia content, may be built more efficiently if a controller unit on the memory module 
takes care of the file system details. 

Figure 3 represents a schematic diagram of a memory module embodiment 20. 
For simplicity, electromechanical interfacing to the player has not been detailed in the Figure. 
The storage area 30 has an access time that is substantially independent of the physical 
storage location. The controller 22 centrals the access to the storage proper. Various sub- 
systems have been shown therein, the host interface 24, the memory interface 26, and the file 
system 2S. External write and internal selection to the memory are shown as well Within the 
Application Programming interface API the following functionality should be present. For 
memory formatting, an optional volume number is outputtcd that is cither uniquely fixed and 
hard-wired, or a random number that >s generated each time the command is executed. Tms 
number may only be changed when executing the formatting command, thereby destroying 
all data un the device. I he copy protection proper does not expressly need this number. To 
create a file, a reusable tile ID is produced for later referencing the file m question. When 
writing a block, a sector number is produced that is a random choice from the tree block list. 
Depending on the implementation, the sector number that is produced can be the actual sector 
number in which the data proper were stored during the write operation, or if can be the 
sector number will be stored during the next write operation. This amongst others is possible 
in solid state audio devices without appreciable loss of time because the flash memory is not 
hampered by a seek U:ne as is common in disk based systems. Such random choice m 
addition helps to level wear over the entire device. The application may use or discard the 
sector number returned by the block write command as required. When reading a biock, the 
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file ED controls outputting the data proper and the sector number of the current or next, block 
to be read. 

Figure 4 illustrates an example of a file structure, thai is distributed into 
blocks, each having the size of a single sector of 5.1 2 bytes. The first block carries 
5 information regarding the file, white the others have the file data proper. The above 
organization will block the making of a hit. wise copy of the module, inasmuch as no 
modification facility for individual sectors has been provided. Copying to an intermediate 
storage location and subsequently recopying the data on the module (which constitutes the 
'replay attack' as explained above) will copy the data to completely different locations. This 

10 in itself provides some protection against copying. Copy protection is further provided by 
encrypting a data Mock through a key that is derived from a secret and also from the location 
(for instance and preferably the sector number) where the data in question is stored. The latter 
information may be derived from the block write function that returns the sector number of 
the next file sector. As this information is not available for the first block, the latter may be 

15 used for less sensitive data. This limitation is overcome by letting the file create function 

return the sector number of the first sector in the file where the data proper {t.z. the file info? 
will be written. For reading, the present or next sector number is available before reading of 
the actual data, allowing the application to calculate the proper decryption key in time. The 
encryption key thus combines the location of the storage, and a method that renders it 

20 impossible to predict this location. Copying will change the storage location, and in 

consequence will break the relation between location and decryption key Note that the secret 
used in the derivation of the key may be a globally shared secret between aii piavers. or mas- 
be derived by other methods well known to those skilled ;n the art. 

Figures 5A and 5B illustrate a method in accordance with the invention. Each 

25 time data blocks are written, the controller 22 writes the data in randomly chosen locations. 
In Figures 5 A and 5B the locations are indicated by L h L 2 etc. The data are encrypted with a 
key which is dependent on a secret S and a location L t or a combination of locations L; (for 
instance the location of the block that is written, or of the previous block, or of the block that 
is written and the previous block etc). 

30 Making a copy of the data of the memory moduie will {see Figure 5B) change 

in a irreprodueibie manner the locations of the data. In fact such will happen twice. 
Therefore, a recopy of a cony will have data for which the positions (L,'\ L;" etc.) does not 
correspond to the arguments needed tor a proper decryption of the data. Subsequently the 
copy of the copy cannot be decrypted and is useless. The 'replay attack' is prevented. 
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Figures 6A and 6B show an embodiment of the invention in which aii data are 
encrypted with a key K (which may consist of a single key or a block of keys), thai itself is 
stored encrypted with a key K\ which is the output of a hash function having as arguments 
the locations U, U L, etc and a secret S. K' thus depends on the positions of the data blocks, 
in this case on the total sequence in which the data blocks are written. Since at each write 
access the location* L ); }.;. L , me changed m an unpredictable marine", the result of the hash 
function li and mereb\ the key K.' is changed. It the content is coped and recopied the player 
will fan fas m the method illustrated m Figures 5 A and 5B,» to reeo\ei the keys because K' is 
changed m an intractable manner Accoidmg!> any replay attack fails. Thus copying is 
prevented m an inevtmnvt manner requiring only moderate processing facilities and 
v, Knout the need or <t unique identification code. It l« noted that the msention provides the 
noss'bdit> ot copy p-nteetion without the need toi a unique identification code This docs 
not e^huk use of such a code M: ether reasons or for e<ctra proieciion 
H is also possible to arrange the data m groups of blocks, and groups ot blocks are wntten in 
random logons The same scnemes as above mas be used for gioups oi Works, instead r.t 
sing-e flocks Random locution*' wuh:r me foment of the invention in its bioadest sense 
means locations that for ail due purposes cannot be predicted in advance 'Foi ail due 
purpKot-s is .stated since to get random numoeis or iocau^ use h usuaih made of some 
kmd nt algorithm Substantially truly random, . c suh^tan'iahy excih distnoutcd thioa^hou; 
the memoiv module is preferred to e\en out wear or the depict Akhough preiesaoK tk 
method is applied to all or s»ubstanoal!\ all (iata ,n the memor\ mocue. the mention 
eno.mp^fes rrrhoUiirems ir v>mch the nx shod -s apo^.ed to only a pu l4 oi the cata ui tne 
seniors roodcie This could lor instance hi^ advantageous tr>-m the t«»m of mcw of speeu 
iteration The invention >s n..> icstnetea to twng one and only one encryption method Vv^n 
the data .ire dj\ ■dec m groups, ornboumierxs usmt: unit rent encryption mtthndt and anlctvn 
ua>s of dqxndency jf said enciypuon methods on the locations ma> used t-n difftren' 
groups Tmr ledaccs the ml- of unauthorised deception Although trie or>Mlu nu\ be 
piovided in the .system apart hum the memoiy moduie. pieterabiy the controllc unu h\ 
which mt. undnrr location, are chosen >s imegiattd in the memory mxduh- This makes it 
ditticuU to circumvent the method or influence the choae ot locations oi data 



In a method for providing copy- protection services on storage media, the 
locations where the data, preferably arranged rn blocks, are stored, are chosen by 3 
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(preferably built-in) controller on a random basis. Using an encryption key which depends 
critically on the position of the data the storage medium, decrypting copied data is made 
virtually impossible. 
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CLAIMS: 



1 Method for providing copyprotection services on a storage medium, 
characterised m that dam on the storage medium are encrvpted with a key tElLj.S), K"i 
which depends on a position (L,) oi data m the memorj module, and that m each write 
operation data >s written into positions on the storage medium that are chosen at random 

'5 

2 Method as claimed m eia:m i characterized in that the data aic ananged in 
MocU luv.ng a sector number aid during each block write the sector number for the current 
m next block is randomly chu&en from a free block hst 

^ 3 Method as claimed m claim 1 o: 2, chataaen/ed in that the data on the stoiagi. 

medium art. ananged m block*, and a Mock is encrypted with a kc> which depends u:i the 
position oi one or mote or the blocks 

4 Method js, chained in claim 3. characterised m ttut a hick erc^ptea wur a 
13 kes dependent on the position ot sa>d block 

~ r MetW as claimed in claim 3, Jiaracttn;-cd a hick is encrjpted w ith a ke\ 

which depends on the posioor oi a ptevioush wuUeo Mock 

2° o Method as daimed tn ^ iai m 3 , chai acten/eo \r- rn.u a block is cn ' > p'cd w ith 

ke> which depend? on the WMtiorus oi all of the blocks 

Method as claimed m ■ t,uni 3 charactered m that me storage medium is a 
icmovabi, 1 t.ohd state memor> module tC) 

25 

5 S> „teir arrarged lot implementing a me* nod as churned m cUit? I vomprismf; 
a controller unit rot choosing the locations ut random 
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9 - Pia >' er for playmg data from storage media havi ng dala prepared according to 

a method as cJaimcd in ciasm I 



10. Storage medium prepared according to a method as claimed in claim i 

5 comprising a controller unit for choosing the locations at random. 
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